ZeroAccess... thought this was gone

[donkrx]

OK so thankfully I kept on reading about malware etc and came across a video on youtube talking about ZeroAccess. I checked into some of the things he was pointing out as symptoms and sure enough I have them, but I have not seen anything in Sysinternals proc explorer or in my network activity.

I had ZeroAccess on my system maybe a week ago when I opened a "crack" (I'm a dumbass honestly, I should know better) and since AVG could not handle it I went to the forums and found someone suggesting to use RogueKiller and HitmanPro. I used those in conjunction and they both seemed to deal with the threat, I was able to "replace" the infect svchost.exe and basically every single symptom that I noticed was gone at the time. I ran scans with malwarebytes, Avast, hitmanpro, as well as an Avast boot scan which all came back clean. Since then I've been doing everything sandboxed. I also looked into things with Sysinternals Process Explorer and found absolutely nothing suspicious.

What I did just recently was I ran TDSS Killer, had to do it a couple times with different options and I got different results... but it found things. So I followed along to remove or quarantine and then rebooted. After reboot, Sysinternals proc explorer does not work (got it to work in Sandboxie tho) and a lot of very suspicious things started happening. Something changed slightly with the TDSSKiller scan and I can tell it's being faked (specifically it appears to skip over the drivers in %windir%/system32/drivers).

Surprisingly Autoruns works just fine without any virualization trickery, and looking in there I see many suspicious items. I'm going to try to disable just the ones that I am very confident wont break my computer and see what happens. Other than that please advise.

Thank you guys ....

[donkrx]

Also, there are a bunch of suspicious files/drivers/dlls I've identified but I am locked out of scanning them on virustotal.com (I can reach the site but the ones I want to scan dont show up when I try to navigate to them). One of them for example is "gatherNetworkInfo.vbs". Does not sound friendly lol.

This thing seems to have dropped/downloaded an ass ton of shit today, I dont think a lot of this was here before.

[mikaelrask]

hey i would suggest you follow this guide and let a malware expert have a second look at your system sens zero access is a nasty infection.

http://forum.avast.com/index.php?topic=53253.0

[donkrx]

OK. Thanks, i had to cut the internet out because i found it taking screenshots of my web searches , so im on my phone for now ... Since it was sandboxed it was easy for me to find them.

I managed to succeed with a few things, I used autoruns to stop some things from executing which enabled me to then delete malware dlls. I found what might be an important executable, and deleted user accounts that werent supposed to be there. I still have files in the recycle bin if needed and Ive stayed away from direct registry editing... Probably gonna make a restore point again now.

A question I have is this - if i delete all the stuff making the malware run and initialize, how would i repair the system processes like explorer.exe that have been injected with malicious code? Does the injection go away if the files are removed or does it have to be repaired by something like combofix?

[Pondus]

if you follow the guide given to you above, then one of the removal experts will do it for you

attach logs from AdwCleaner / Malwarebytes / OTL / aswMBR

[essexboy]

Do not delete anything from TDSSKiller that are marked as suspicious, you could break the system

[donkrx]

Sorry, I meant to come back and reply to this but I just had a lot to think about this week. At any rate, I decided to reformat.

I ended up doing what I could with Sysinternals tools to clean my PC then I moved my media (500gb worth). I mostly just wanted to see what I could find/learn/do manually ... yes I knew I could break the system but sometimes you cant learn without breaking, lol (though I didnt mean to delete that once). Also, I found out that the screenshots were actually "legitimate" and from Firefox (sketchy if you ask me).

After I ran TDSS killer the first time and rebooted & obviously got reinfected at logon, I stopped getting any sort of help or detections from anti-malware software. So many things were completely confusing and contradictory that I really can't give any sort of conclusion about this thing other than it gave me a gigantic F'ing headache lol... but I guess I brought that upon myself this time because I wanted to take a shot at it.

I actually wish I remembered where I got this specific piece of malware so I could go and put it on a virtual machine lol. Anyway, sorry to waste your time.

[essexboy]

Time is never wasted, I am here if required